Weijun Wang wrote:
+ // We choose to reject all version 1 and version 2 intermediate
+ // certificates except that it is self issued by the trust
+ // anchor in order to support key rollover or changes in
+ // certificate policies.
+ int pathLenConstraint = -1;
+ if (currCert.getVersion() < 3) { // version 1 or version 2
+ if (i == 1) { // issued by a trust anchor
So, self-issued cert can be only issued by trust anchor, but not an
intermediate CA?
No, self-issued cert can be issued by any entity, but I choose to reject
those self-issued version 1 and version 2 certificates here, because I
have no way to understand whether it is a CA or not.
+ try {
+ X509CertImpl certImpl = X509CertImpl.toImpl(currCert);
+ if (certImpl.isSelfIssued(currCert)) {
Isn't isSelfIssued() a static method?
Oops, yes, it is. Updated:
http://cr.openjdk.java.net/~xuelei/6847459/webrev.01/
<http://cr.openjdk.java.net/%7Exuelei/6847459/webrev.01/>
Thanks,
Andrew
+ pathLenConstraint = Integer.MAX_VALUE;
+ }
+ } catch (CertificateException ce) {
+ throw new CertPathValidatorException(ce);
+ }
+ }
+ } else {
+ pathLenConstraint = currCert.getBasicConstraints();
+ }
Xuelei Fan wrote:
Hi Max,
Would you please review the updates? I think JavaOne would occupy most
of the time of others.
Webrev: http://cr.openjdk.java.net/~xuelei/6847459/webrev.00/
No new test case, the closed/sun/security/validator/BasicTests.java
covered the case.
Thanks,
Andrew
xuelei....@sun.com wrote:
Sun Confidential: Internal only
*Synopsis*: Allow trust anchor self-issued intermediate version 1 and
version 2 certificate
CrPrint: http://bt2ws.central.sun.com/CrPrint?id=6847459
Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=6847459
*Change Request ID*: 6847459
*Synopsis*: Allow trust anchor self-issued intermediate version 1 and
version 2 certificate
Product: java
Category: java
Subcategory: classes_security
Type: Defect
Subtype: Status: 1-Dispatched
Substatus: Priority: 3-Medium
Introduced In Release: Introduced In Build: Responsible Manager:
frances...@sun.com
Responsible Engineer: xuelei....@sun.com
Initial Evaluator: jsn-sec-b...@sun.com
Keywords:
=== *Description*
============================================================
With the updates at 6822460, we start support slef-issued certificate
in PKIXValidator, which will try to validate self-issued certificate
instead ignore them as past.
However, the ConstraintsChecker will reject all version 1 and version
2 certificates for there is no basic constraints extension inside.
Here comes a regression failure, before the updates of 6822460,
self-issued version 1 and version 2 certificates could be validated
because there is no trying to validate them, after the updates,
self-issued version 1 and version 2 certificates would be denied by
ConstraintsChecker.
If a version 1 and version 2 self-issued certificate is issued by a
trust anchor, we need to it at ConstraintsChecker, because there are
practical cases that a trust anchor need to issue self-issued
certificate in order to support key rollover or changes in certificate
policies.
*** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei....@sun.com
=== *Public Comments*
========================================================
=== *Comments*
===============================================================
=== *Evaluation*
=============================================================
=== *Suggested Fix*
==========================================================
=== *Workaround*
=============================================================
=== *Justification*
==========================================================
Priority changed from [] to [3-Medium]
there is a failure of regression test
xuelei....@sun.com 2009-06-03 03:10:11 GMT
*** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei....@sun.com
=== *Additional Details*
=====================================================
Targeted Release: 7
Commit To Fix In Build: Fixed In Build:
Integrated In Build: Verified In Build: See Also:
Duplicate of: Hooks:
Hook1: Hook2: Hook3: Hook4:
Hook5: Hook6: Interest List: Program Management: Root
Cause: Is a Security Vulnerability?: No
Fix Affects Documentation: No
Fix Affects Localization: No
Reported by:
=== *History*
================================================================
Date Submitted: 2009-06-03 03:10:10 GMT+00:00
Submitted By: xuelei....@sun.com
Status Changed Date Updated Updated By
=== *Solution*
===============================================================
=== *Service Request*
========================================================
ID: 1-544857704
Customer:
Account Name: Sun Micosystems Inc
Customer Contact: Customer Contact Role: D-Development
Customer Contact Type: I-Internal (SMI) Customer
Impact: Significant
Functionality: Secondary
Severity: 3
Synopsis: Product Name: java
Product Release: 7
Product Build: b59
Operating System: generic
Hardware: generic
Reference Number: Sun Contact: xuelei....@sun.com
Status: Open
Source: BugTraq2
Reproducible: Submitted By: xuelei....@sun.com
Submitted Date: 2009-06-03 03:10:11 GMT+00:00
Description:
=== *Activity*
===============================================================
=== *Multiple Release (MR) Cluster* - 0
======================================
=== *Escalations*
============================================================